Two high-severity safety flaws had been disclosed within the open-source ruby-saml library that would permit malicious actors to avoid Safety Statement Markup Language (SAML) authentication protections.
SAML is an XML-based markup language and open-standard used for exchanging authentication and authorization knowledge between events, enabling options like unmarried sign-on (SSO), which permits folks to make use of a unmarried set of credentials to get right of entry to more than one websites, services and products, and apps.
The vulnerabilities, tracked as CVE-2025-25291 and CVE-2025-25292, raise a CVSS rating of 8.8 out of 10.0. They have an effect on the next variations of the library –
- < 1.12.4
- >= 1.13.0, < 1.18.0
Each the shortcomings stem from how each REXML and Nokogiri parse XML otherwise, inflicting the 2 parsers to generate completely other file constructions from the similar XML enter
This parser differential lets in an attacker so that you could execute a Signature Wrapping assault, resulting in an authentication bypass. The vulnerabilities had been addressed in ruby-saml variations 1.12.4 and 1.18.0.
Microsoft-owned GitHub, which found out and reported the issues in November 2024, stated they might be abused by means of malicious actors to behavior account takeover assaults.
“Attackers who’re in ownership of a unmarried legitimate signature that used to be created with the important thing used to validate SAML responses or assertions of the focused group can use it to build SAML assertions themselves and are in flip in a position to log in as any consumer,” GitHub Safety Lab researcher Peter Stöckli stated in a publish.
The Microsoft-owned subsidiary additionally famous that the problem boils all the way down to a “disconnect” between verification of the hash and verification of the signature, opening the door to exploitation by the use of a parser differential.
Variations 1.12.4 and 1.18.0 additionally plug a far flung denial-of-service (DoS) flaw when dealing with compressed SAML responses (CVE-2025-25293, CVSS rating: 7.7). Customers are advisable to replace to the most recent model to safeguard towards doable threats.
The findings come just about six months after GitLab and ruby-saml moved to handle some other crucial vulnerability (CVE-2024-45409, CVSS rating: 10.0) that would additionally lead to an authentication bypass.